Skip to main content
Skip table of contents

KB 238 - Fields missing in Certificates CIM Mapping

KB 238 (Splunk): Fields missing in Certificates CIM Mapping

Category: Problem

Priority: High

Platform: Splunk

Version: 1 from 17.12.2025

Description

The Certificates CIM mapping is missing a number of fields such as ssl_start_time, ssl_end_time, and ssl_issuer.

Cause

The addition of the HDB_CERT_LIST event type to the Certificates mapping was malformed, causing both HDB_CERT_LIST and STRUST fields to fail their CIM mapping conversions.

Resolution

In Splunk, navigate to Settings > Fields > Calculated Fields. Set your App filter to “PowerConnect for SAP Solutions (BNW-app-powerconnect)” and Configuration Source filter to “Created in App”. Find the following fields by field name, check their eval expressions, and replace with the new expressions as needed:

Field Name

Old Eval Expression

New Eval Expression

ssl_end_time

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",VALID_UNTIL,EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),ssl_end_time)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",VALID_UNTIL,EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(),ssl_end_time)

ssl_start_time

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",VALID_FROM,EVENT_TYPE="STRUST",strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),ssl_start_time)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",VALID_FROM,EVENT_TYPE="STRUST",strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(),ssl_start_time)

ssl_validity_window

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",strptime(VALID_UNTIL." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"), ssl_validity_window)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",strptime(VALID_UNTIL." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),EVENT_TYPE="STRUST",strptime(VALID_TO." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z")-strptime(VALID_FROM." ".UTCSIGN.substr(UTCDIFF,0,4), "%Y%m%d%H%M%S %z"),true(), ssl_validity_window)

ssl_issuer

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",ISSUER_NAME,EVENT_TYPE="STRUST",ISSUER,ssl_issuer)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",ISSUER_NAME,EVENT_TYPE="STRUST",ISSUER,true(),ssl_issuer)

ssl_subject

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",SUBJECT_NAME,EVENT_TYPE="STRUST",SUBJECT,ssl_subject)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",SUBJECT_NAME,EVENT_TYPE="STRUST",SUBJECT,true(),ssl_subject)

ssl_serial

SPLUNK-SPL 
if(EVENT_TYPE="HDB_CERT_LIST",CERTIFICATE_ID,EVENT_TYPE="STRUST",SNUMBER,ssl_serial)
SPLUNK-SPL 
case(EVENT_TYPE="HDB_CERT_LIST",CERTIFICATE_ID,EVENT_TYPE="STRUST",SNUMBER,true(),ssl_serial)

Product version

Product

From

To

PowerConnect for SAP Solutions (Splunk App)

8.3.0

9.0.1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close